Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe
-
Size
7.1MB
-
MD5
d723b4ca982a1f9bb574bc26d8aad480
-
SHA1
afcd316e24d3b21af123641661e25852b8f30abd
-
SHA256
aa8236bb683502bfe7e061ea42e0b252174895596324fef42392c4dc86d68a1e
-
SHA512
e43ff82db72223d5e5bde6fa15cd69d6038dfb6af9b0f1be4fd59bfe74846402eb08367c92fa8686464db905788db660a0d9fa18e0a076e3e9f550b47d32bf4a
-
SSDEEP
196608:Zk7YeQEkSIKJAx9JWt0iudWlRJ/tVrMt4qb1Co:evkSgTdiO4DEWm1C
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2456-4-0x00000000012E0000-0x000000000132E000-memory.dmp agile_net behavioral1/memory/2456-5-0x000000001CE00000-0x000000001CF4A000-memory.dmp agile_net -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2728 2456 NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe 28 PID 2456 wrote to memory of 2728 2456 NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe 28 PID 2456 wrote to memory of 2728 2456 NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2456 -s 8642⤵PID:2728
-